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(57) Abstract: The present invention relates to a 
system and method for carrying out remote payment 
transactions. In prior art remote payment terminals, 
a remote payment transaction is controlled by 
software application instructions which have been- 
tested for compliance with security standards, and 
which are provided together with the remote payment 
terminal. A problem arises where it is required to 
update the application software. Any update requires 
reprogramming and retesting for compliance with 
security requirements. In the present invention, the 
application instruction means (software) are provided 
separately from a basic "universal" remote payment 
terminal and downloaded to the terminal to control 
a remote payment transaction. This has the advantage 
that if a change in the software application is required, 
it can be carried out and tested for security, separately 
from the terminal. 
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IMPROVED APPARATUS FOR REMOTE PAYMENT TRANSACTIONS 

The present invention relates to a method and 
apparatus for controlling remote payment transactions, and 
particularly, but not exclusively, to a remote payment 
terminal for facilitating payment transactions and to a 
method of controlling the terminal. 

Devices for carrying out remote payment transactions 
are well-known. These "payment terminals" include EFTPOS, 
credit card payment terminals, etc. 

The function of such remote payment terminals is to 
facilitate payment transactions. Goods/services will 

usually be offered by the payment terminal holder. The 
payment terminal provides message information to a 
"transaction acquirer" (which may be a bank) to enable the 
transaction acquirer to settle the transaction. Message 
information may also be provided to determine whether the 
person who owns the card has sufficient funds to enable the 
transaction. A transaction usually takes place by means of 
a card, such as a credit card or a debit card. 

A payment terminal may, for example, provide for the 
following basic operations: 

(1) Input of information which is required to enable 
a transaction eg. identification of the card holder's 
account. The information is most often read from a 
magnetic stripe on a credit card or bank card or the like, 
or a smart card. In addition to reading details from a 
card a PIN number or the like code may also be required, 
for security purposes. 

(2) Obtain access to the users account. This is 
usually done by remote communication with a processing 
device holding the person's account data, usually on bank 
premises and remote from the payment terminal. Usually, 
the information on the person's account input to the 
payment terminal will need to be transmitted for 
verification and to enable access to the account. Also a 
money amount will usually need to be input to the payment 
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terminal and transmitted over the communications line. At 
least some and perhaps all of the transmitted data may be 
encrypted for security purposes and the payment terminal is 
therefore, in such a case, required to have means (3) 
5 providing for encryption. 

(4) The payment terminal may need to be able to 
receive communications over the remote line from the 
processor accessing the user's account, ie. to provide an 
"answer" to the payment device regarding the user 

10 transaction. The answer may Include information that an 
account debit/credit has taken place (eg. EFTPOS) or merely 
an approval that the user has enough money in his account 
to enable a transaction (some credit card payment 
terminals) . Again, this transmitted information may be 

15 encrypted and, if so, will require translation (5) in the 
payment terminal . 

(6) To provide a message that the transaction request 
is approved or that a transaction has occurred, by display 
or printer, for example. 

20 These basic operations can be carried out in. number of 

different ways, governed by the hardware /software 
combination of the brand of payment terminal and the 
requirements of the owner of the payment terminal. The 
payment terminal owner is usually an account acquirer such 

25 as a bank. Different account acquirers generally have very 
different requirements for operation of their payment 
terminals. For example, they will generally have differing 
requirements for the type and operation of encryption for 
communications. They would also generally have different 

30 requirements for the display and formatting of any 
"receipt" to be printed out for th£ customer. Also, 
communications protocols may be very different from bank to 
bank. The format of data storage on an account holders 
card generally varies quite widely from bank to bank as, 

35 indeed, may the content of the data on the account holders 
card. 
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To date, various account acquirers have usually 
directed a manufacturer of payment terminals to manufacture 
a terminal in accordance with their requirements. Thus, 
there are many different brands of payment terminal, 
operating different varieties of hardware and software in 
order to satisfy the various requirements of the various 
. account acquirers. Not only account acquirers may require 
tailored payment terminal operation, but requirements may 
be dictated by goods/service providers who operate the 
terminals at the "front end", eg. retail chains. 

An important requirement for payment terminals is that 
they must generally ensure that communicated information is 
secure, usually by way of encryption. Security must also 
be provided to govern access to accounts. Often the 
payment terminal will include security information such as 
one or more "secret keys" which facilitate secure 
communications and ensures that access to an account can't 
be obtained in error or fraudulently. 

Because these devices are required to deal with 
security sensitive information, it is a requirement that 
these devices be thoroughly tested before they are allowed 
to be used, in order to ensure that they operate correctly 
and no errors are likely to be made, particularly with the 
security sensitive information. Such testing can take many 
man hours and is therefore quite expensive. It is 
nevertheless absolutely necessary and devices will not be 
allowed to be used which have not been "certified" as 
complying with all security and operational requirements. 

Because of the need to ensure that operation of the 
payment terminal does not cause any security risk, any 
software change which may be required by an account 
acquirer requires the entire terminal and software to be 
completely retested to ensure compliance. Any change, 
therefore, is extremely expensive because of this need for 
testing and also because it is necessary to reprogram the 
terminal in each case. Another problem with payment 
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terminals is that because of the way the terminal is 
established, i.e., by being manufactured and tested with 
software and hardware for one particular account acquirer 
who is the owner of the terminal, a terminal has a 
"primary" relationship to the owner ("primary") account 
acquirer. The primary account acquirer will essentially 
dictate the nature of the operation of the terminal and 
will select the software operation to be carried out by the 
device. Although the primary acquirer may well take into 
account some of the needs of other acquirers whose accounts 
may also be accessed via the terminal, there will be a 
natural reluctance on behalf of the primary acquirer to 
meet all the other acquirers operational needs. After all, 
the primary acquirer will usually be in competition with 
the other acquirers. Further, even if the desire were 
there for the primary acquirer to meet the other acquirers 
needs in detail, expense of changes, mainly due to it 
being necessary to test the entire terminal and software 
for certification purposes, is another disincentive. The 
cost involved in making any changes is great, and therefore 
the primary acquirer is likely to be reluctant to do so. 

Thus, the primary acquirer will usually program a 
device in a way in which suits them rather than other 
acquirers. This and other factors lead to a lot of 
"back-end" processing. Rather than dealing with acquirers 
requirements in the software and arrangement of the 
terminal device itself, processing is carried out by 
computers at the "back-end". For example, all 

communications from the payment terminal for all account 
acquirers may be routed to a processing system at a primary 
account acquirer. The processing system at the primary 
account acquirer then further processes the information and 
may send further communications to other account acquirers 
in order to process a transaction. These acquirers, may 
have their own processing systems carrying out further 
processes This u back-end" processing leads to an increase 
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in cost for the consumer. 

The present invention provides a system for 
controlling remote payment transactions, comprising a 
remote payment terminal including processing means and an 
operating system arranged to carry out a remote payment 
transaction operation in accordance with application 
instruction means, an application memory means storing the 
application instruction means for operation of the payment 
terminal, the arrangement being such that application 
instruction means is independent of the rest of the payment 
terminal . 

By "independent" is meant that the application 
instruction means can be handled as a separate entity. For 
example, they may be able to be altered and tested 
separately from the rest of the payment terminal . They may 
. also be able to be provided to the system separately from 
the rest of the payment terminal. A common payment 
terminal may thus be able to handle a number of different 
sets of application instruction means, provided 
independently. 

Preferably, any change in the application instruction 
means can be carried out without it being necessary to re- 
test the other software and/or hardware of the terminal, by 
applying the present invention. 

Preferably, the application instruction means (usually 
in the form of software) is stored in a separate memory 
means, preferably a separate memory module. The memory 
module may be of the "plug- in" variety arranged to plug 
into the payment terminal - or may be stored on a "smart 
card" . where the application instruction means is stored 
on a smart card, a smart card reader is preferably provided 
with the payment . terminal to enable the application 
instruction means to be read to the payment terminal 
operating systems. 

In a payment processing system utilising the present 
invention, therefore, each account acquirer may preferably 
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provide its own application instruction means stored on a 
memory module, such as a smart card. A particular 
application instruction means will be selected when the 
respective account acquirers system is to be accessed, eg 
5 when a user of that acquirers accounts system wishes to 
make a payment transaction via the remote payment 
transaction terminal . 

Preferably, if the application instruction means is on 
a smart card or the like, when a user swipes their magnetic 

10 card or smart card the remote payment terminal is arranged 
to call for the particular account acquirers application 
instruction means, and the vendor (i.e payment terminal 
operator) will then load the terminal with the particular 
account acquirers application instructions, in one 

15 embodiment by reading the account acquirers smart card 
containing the particular application instruction means. 

Different account acquirers can therefore conveniently 
implement different processing requirements for their 
accounts systems by providing different application 

20 instructions. These application instructions may govern 
all aspects of the remote payment transaction including 
communications, i.e. the remote payment terminal may be 
directed to communicate with the particular account 
acquirers "host" terminal. 

25 Because the application instruction means can 

preferably be tested separately from the payment terminal, 
it is not necessary to go to the expense of retesting the 
entire payment terminal and operating system merely for an 
applications upgrade for a particular account acquirer. 

3 0 Application changes and upgrades can therefore ■ be 
implemented relatively cheaply. A payment terminal 

arranged to receive the application instruction means in 
this form can be termed a "universal" terminal. The 
operating system and payment terminal may only need to be 

35 tested and certified once. Applications may then be 
provided separately, and also tested separately. 
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Preferably, security of data can also be included in the 
memory module, for controlling the security for each 
particular acquirer. 

Different applications may be provided for the same 
account acquirer. For example, the account acquirer may 
require different applications for different types of 
account it administers, eg credit card accounts, current 
accounts, etc. Present invention preferably facilitates 
the provision of as many different applications as may be 
required. 

An alternative to providing application on separate 
memory modules is to provide a universal terminal having a 
partitioned memory with secure memory address locations for 
loading application instruction means for particular 
account acquirers. Application instruction means could 
then be uploaded by telecommunications, i.e data transfer 
on-line. 

In the prior art, generally one account acquirer 
controls transactions with all the other account acquirers. 
With use of the present system, however, it would be 
possible for each acquirer to control its own transactions, 
as each acquirer may provide separate application 
instructions. 

In a preferred embodiment, an arrangement in 
accordance with the applicants co-pending International 
Patent Application Number PCT/AU98/00173 may be utilised. 
This co-pending application describes a generic software 
arrangement which is particularly suitable for remote 
payment transaction processing and which can be adapted to 
run on different hardware architectures. 

Any other "open" software system may be used and 
applicants invention is not limited to that disclosed in 
PCT/AU98/00173. 

Another feature of the present invention, is that in 
some cases the memory module may preferably include memory 
locations for storing details of transactions which have 
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taken place over a particular time period (eg on a day by 
day basis) . The memory module can then be returned to the 
account acquirer, eg. at the end of the day, so 
transactions, can be processed. This will be most 

convenient where the memory module is a smart card. This 
arrangement does not require any on-line communications 
between the account acquirer system and the remote payment 
terminal. 

By "operating system" we don't necessarily mean an 
operating system as is conventionally understood i.e. an 
operating system arranged to control hardware and 
peripherals in accordance with application commands. While 
it includes such a basic operating system, it is also 
envisaged that the operating system in the payment terminal 
may also include commands which enable it to interface with 
the application instruction means and may also include more 
sophisticated "high level" commands for controlling 
operation of a remote payment transaction. 

For example, the application instruction means may be 
a set of instructions arranged to control merely the 
aspects of operation of the terminal which are required to 
be varied from account acquirer to account acquirer. 
"Application" instructions, in this case, will also be 
included in the operating system, for controlling aspects 
of operation of the terminal which are common to all 
acquirers . 

Preferably, therefore, a payment terminal device is 
developed and tested separately from application software 
for running the device. Different payment terminal devices 
in the present invention, including the basic payment 
terminal operating system and software ("fixed program") 
may be certified to carry out a number of applications and 
the fixed program may include a list of options that the 
device is certified for. Any application software being 
run on that particular device will, preferably, first check 
whether device is suitable for running all the options 
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available in that particular application software module. 
It may only run a limited number. of the options available, 
or the device may be arranged to run all the options. 

On the other hand, the fixed program of the device is 
preferably arranged to register the application software 
(external) software and determine what cards it can 
process. Both the device and the application software may 
be able to determine whether to or not they are compatible 
and if they are, exactly what operations can be run. 

The remote payment terminal, therefore, preferably 
includes a fixed program which includes instructions for 
controlling the terminal to access application software 
from a separate memory area and control the payment 
terminal to run in accordance with one, some or all of 
options and features which may be included in the separate 
applications software. Preferably, the applications 

program is arranged to assess the security of the device 
and what operations it is certified for, and then only to 
run the operations in the application software that the 
device is certified for. 

The present invention therefore preferably has the 
advantage that a plurality of "generic" payment terminals 
can be provided. The generic terminals are certified by 
the account acquirers to run application software which is 
provided separately, preferably by the generic terminal 
being able to accept separate memory modules containing the 
software. The generic terminals can therefore be purchased 
by prospective users, e.g., merchants, as well as by 
account acquirers and the like. The user is then provided 
with the application software required for dealing with 
different account acquirers, by the provision of separate 
memory modules. Each application software module can be 
tested and certified separately from the device. 

As an alternative to providing separate memory 
modules, separate memory areas may merely be specified in 
the generic terminal for loading of the separate 
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independent application instruction means. 

The present invention further provides a remote 
payment terminal, comprising a processing means and 
operating system arranged to carry out a remote payment 
transaction operation in accordance with application 
instruction means, the operating system being arranged to 
access the application instruction means in a separate 
application memory means, and the remote payment terminal 
and operating system being arranged to be independent from 
the application instruction means. 

By "independent" is meant that the remote payment 
terminal can be handled as a separate entity, and may be 
provided with a plurality of separate independent 
application instruction means to operate in accordance with 
those instructions. The remote payment terminal is 
preferably essentially generic to the plurality of separate 
application instruction means. Preferably, the remote 
payment terminal can be tested for compliance with 
predetermined requirements, separately from the application 
instruction means. 

Preferably, the operating system includes a fixed 
program which is arranged to interface with the application 
instruction means. The fixed program may, for example, 
include a list of applications which it is compatible with 
and on operation of the card by a user (e.g., to swipe a 
certain account acquirers bank card) . 

The present invention yet further provides an 
application memory means, storing application instruction 
means for instructing a remote payment terminal comprising 
a processing means and operating system, to carry out 
remote payment transactions in accordance with the 
application instruction means, the application instruction 
means being independent from the payment terminal and 
operating system. 

Preferably, the application memory means is a separate 
memory module and is preferably provided by way of a smart 
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card or the like. Preferably, security information may 
also be stored in the application memory means. In one 
embodiment, memory locations may also be provided for 
storing data on transactions. 

The present invention yet further provides a method of 
operating a remote payment terminal comprising a processing 
means and operating system arranged to carry out remote 
payment transactions in accordance with application 
instruction means, comprising the steps of providing the 
application instruction as an independent entity. 

Preferably/ the application instruction means provided 
from a separate application memory means. 

Preferably, the separate application memory means is a 
separate memory module, such as a smart card. 

The present invention yet further provides a method of 
arranging a remote payment transaction processing system, 
comprising the steps of providing a universal terminal 
which includes a basic set of operating instructions and 
hardware sufficient for carrying out remote payment 
transactions in accordance with application instruction 
means, separately providing independent application 
instruction means for instructing operating of the remote 
payment terminal to carry out remote payment transactions . 

Preferably the method also includes the step of 
separately testing the application instruction means for 
compliance with a remote . payment processing system, 
separately from testing of the remote payment terminal. 

The present invention yet further provides a system 
for controlling remote payment transactions, comprising a 
remote payment terminal including a processing means and 
operating system arranged to carry out a remote payment 
transaction operation in accordance with application 
instruction means, and a separate memory module, such as a 
smart card, storing the application instruction means for 
instructing the remote payment transaction. 

Features and advantages of the present invention will 
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become apparent from the following description of an 
embodiment thereof, by way of example only, with reference 
to the accompanying drawings, in which; 

Figure 1 is a schematic diagram of a system for controlling 
5 remote payment transactions in accordance with an 
embodiment of the present invention, and 

Figure 2 is a diagram showing the architecture of the 
system of figure 1. 

Reference numeral 1 indicates a "universal" payment 
10 processing terminal in accordance with an embodiment of the 
present invention. 

The payment terminal comprises a central processing 
unit 2 which includes a memory, a microprocessor, and other 
hardware as would be known to a person skilled in the art, 
15 and an operating system for carrying out remote payment 
transaction operations in accordance with application 
instruction means. The terminal 1 also includes a smart 
card reader 3 connected to the central processing unit 1 
and a communications module 4 also connected to the central 
20 processing unit 2. The communications module 4 is used for 
communications with host computers of an account acquirer, 
to facilitate on-line remote payment transactions, as is 
well-known to persons skilled in the art. 

The terminal 1 also includes a printer 5 and a display 
25 6 for printing and displaying information on remote payment 
transactions, and a keyboard 7 for inputting data. 

Reference numerals 8,9 and 10 designate "smart" cards, 
each of which includes a memory module 8a, 9a, 10a which is 
arranged to store application instruction means for 
30 instructing operation of the terminal 1 to control remote 
payment transactions. 

This arrangement is very different from payment 
processors of the prior art, which incorporate the 
application instruction means directly within the terminal 
3 5 1, not separately on a separate memory module. 

In operation, when a customer requires a remote 
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payment transaction, the customer will be required to 
insert their account card, which may be a smart card, in 
the card reader. Note that the account card may 
alternatively be a standard magnetic card, and a magnetic 
card reader (not shown) may be provided, in which case the 
customer will swipe their card through the magnetic stripe 
card reader. The central processing unit 2 is arranged to 
detect that a card has been swiped and (or customer smart 
card read) and will then ask or require that an application 
instruction means be loaded. This may be done in a number 
of ways. For example, the display 6 may indicate which 
particular application instruction means is required by the 
CPU 2. Alternatively, a payment terminal operator may know 
from the customers card exactly which set of application 
instruction means are required. There are a number of ways 
in which the required application instruction means can be 
indicated. The next step is that the required application 
instruction means is loaded to the CPU 2 by inserting the 
card 8,9,10 into the card reader and downloading the 
application instruction means. Subsequently, the remote 
payment process may be carried out, in accordance with the 
application instruction means which have been downloaded 
for the customer. 

In a subsequent transaction requiring different 
application instruction means, then the terminal would 
require a different card 8,9,10 to be loaded into the card 
reader . 

There are a number of ways in which the application 
instruction means may be provided to the payment terminal 
1. Separate "plug-in" memory modules could be provided, 
which are not smart cards; application instruction means 
could be downloaded on-line and stored in a separate memory 
location in the central processing unit 2. The important 
feature of the invention is that the application 
instruction means can be dealt with completely separately 
from the remote payment terminal. It is therefore 
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necessary only to test and certify the remote payment 
terminal itself once. Each time application instruction 
means require updating or modifying, because of the 
requirements of a particular account acquirer, for 
example, this can be done completely separately, and 
testing of the application can be done separately. 

Another possibility for providing the application 
instruction means may be on a customer card having a memory 
module for containing application instruction means, as 
well as having means containing the customer information 
and data. The card holder may therefore have a smart card 
which, as well as containing information for enabling a 
transaction with his account, also contains the application 
instruction means for operating a "universal" terminal. 

The memory module which separately contains the 
application instruction means may also preferably contain 
the security data for the particular account acquirer. 

Figure 2 shows an architecture for a preferred 
embodiment of the present invention. 

The payment terminal 1 incorporates an operating 
system 20 and hardware 21 (the hardware is described above 
with reference to Figure 1). The operating system controls 
the hardware to carry out remote payment transaction in 
accordance with application instructions 23, 24 which are 
provided via a separate memory module as explained with 
reference to Figure 1. The separate memory module, also 
includes security data 25, 26. The payment transaction 
will also require information from the user card and other 
input information, such as a PIN (via the keypad 7) , as 
indicated by reference, 27. 

In accordance with a preferred embodiment, the 
architecture of the present invention utilises the novel 
software configuration described in applicants co-pending 
Application Number PCT/AU98/00173 , the specification of 
which is incorporated herein by reference. The operating 
system therefore comprises a fixed program including 
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virtual machine (VM) processors 30, comprising a message 
engine, a protocol engine and a function processor, forming 
a "virtual machine" for running generic application 
instruction means. The message engine is a separate 
virtual processor whose function is to deal with the 
assembly and disassembly of messages. The protocol engine 
is a separate virtual processor whose function is to 
organise communications. 

The present invention is not limited to utilising the 
virtual machine described in PCT/AU98/00173 . Any "open" 
software system could be applied. Virtual machines, which 
operate on different hardware are well-known in the art. 
Any software operating system may be used as long as the 
application instructions are compliant with the operating 
system. 

The fixed program also includes an interface 35 which 
is arranged to interface with application instruction means 
23, 24. The interface 35 may include a list or table of 
the applications which this particular device 1 is 
compatible with. On insertion and swiping of a user card, 
the type of application required is detected and the 
interface 35 will check the list and ask for the particular 
application if it is available, and if it is not available 
in this particular device 1 it will indicate that the 
transaction cannot be carried out for this particular user 
card. The interface 35 also preferably includes a list of 
options accessible by application instruction means 23, 24, 
indicating the features or options of payment transactions 
which the device 1 is capable of carrying out. The 
application instructions may include means for determining 
which of a number of options in the, application 
instructions the device is capable of carrying out and only 
then running those options that the device is capable of 
carrying out. This arrangement takes into account the fact 
that over a period of time developments to applications may 
occur which may not be compatible with machines that were 
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developed some time ago. 

Variations and/or modifications may be made to the 
invention as shown in the specific embodiments without 
departing from the spirit or scope of the invention as 
broadly described. The present embodiments are, therefore, 
to be considered in all respects as illustrated and not 
restrictive . 
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THE CLAIMS DEFINING THE INVENTION ARE AS FOLLOWS: 

1. A system for controlling remote payment transactions, 
comprising a remote payment terminal including 
processing means and an operating system arranged to 

5 carry out a remote payment transaction operation in 

accordance with application instruction means, and an 
application memory means storing the application 
instruction means for operation of the payment 
terminal, the arrangement being such that application 
10 instruction means is independent from the rest of the 

payment terminal . 

2. A system in accordance with claim 1, wherein the 
application memory means is a separate memory module. 

3 . A system in accordance with claim 2 wherein the memory 
15 module is provided on a smart card or the like. 

4. A system in accordance with claim 2 or claim 3, 
wherein the application memory means is carried on a 
card intended for a cardholder, and also including 
data enabling a transaction with the cardholder's 

2 0 account . 

5. A system, in accordance with claim 1, wherein the 
remote payment terminal includes a partitioned memory 
with secure memory address locations for the 
application instruction means. 

2 5 6. A system in accordance with any one of the preceding 
claims, wherein there are a plurality of application 
instruction means, each application instruction means 
enabling control of a transaction by an account 
acquirer associated with those application instruction 

30 means., whereby different account acquirers may control 

transactions depending upon . the application 
instruction means utilised. 
7. A remote payment terminal, comprising a processing 
means and an operating system arranged to carry out 

35 remote payment transaction operation in accordance 

with application instruction means, the operating 
system being arranged to access the application 
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instruction means in an application memory means, and 
the remote payment terminal and operating system being 
arranged to be independent from the application 
instruction means. 

8. A remote payment terminal in accordance with claim 7, 
wherein the operating system includes a fixed program 
arranged to interface with a plurality of different 
application instructions means for controlling 
operation of the terminal . 

9. A system for controlling remote payment transactions, 
comprising a remote payment terminal in accordance 
with any one of claims 7 or 8, and a plurality of 
memory means each storing application instruction 
means for controlling the remote payment terminal, the 
application instruction means of each memory means 
being arranged to provide for different requirements 
for operation of a remote payment terminal . 

10. An application memory means, storing application 
instruction means for instructing a remote payment 
terminal in accordance with any one of claims 7 or 8, 
to carry out remote payment transactions in accordance 
with the application instructions being independent 
from the payment terminal . 

11. A method of operating a remote payment terminal 
comprising a processing means and operating system 
arranged to carry out remote payment transactions in 
accordance with application instructions means, 
comprising the steps of providing the application 
instruction means as an independent entity. 

12. A method of arranging a remote payment transaction 
processing system, comprising steps of providing a 
universal terminal which includes a set of operating 
instructions and hardware sufficient for carrying out 
remote payment transactions in accordance with 
application instruction means, separately providing 
independent application instruction means for 
instructing operating of the remote payment terminal 
to carry out remote payment transactions. 
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13. A method in accordance with claim 12, comprising the 
step of separately testing the application instruction 
means for compliance with the remote processing 
system. 

14. A computer readable medium storing instructions for 
controlling a remote payment terminal to operate in 
accordance with any one of claims 7 and 8. 

15. A remote payment terminal, comprising a processing 
means and an operating system arranged to carry out 
remote payment transaction operations in accordance 
with application instruction means, the operating 
system including a fixed program arranged to interface 
with a plurality of alternative different application, 
instruction means for controlling operation of the 
terminal . 

16. A system for controlling remote payment transactions, 
comprising a remote payment terminal including 
processing means and an operating system arranged to 
carry out a remote payment transaction operation in 
accordance with application instruction means, the 
remote payment terminal including a fixed program, and 
memory means storing a plurality of different 
application instruction means being arranged to 
interface with the fixed program, for controlling 
operation at the terminal in accordance with one or 
more of the plurality of application instruction 
means . 
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ARCHITECTURE DE CARTE A PUCE INTEGRANT DES 
PERIPHERIQUES 

L' invention concerne 1' architecture interne d'une 
carte a puce integrant clivers types de peripherique . 

L' invention propose notamment <d' augmenter le niveau 
5 de securite d'une telle carte et de faciliter son 
utilisation. 

Les cartes a puce avec et/ou sans contact sont 
destinees a la realisation de diverses operations 
telles que, par exemple, des operations bancaires, des 

10 communications telephoniques, diverses operations 
d' identification, ou des operations de type 
telebilletique . 

La majorite des procedes de fabrication de carte a 
puce est basee sur 1' assemblage d'une puce de circuit 

15 integre dans un sous-ensemble appele micromodule qui 
est relie a une interface de communication et encarte, 
c'est a dire place dans une cavite menagee dans le 
corps de carte, en utilisant des techniques connues de 
l'homme du metier. 

20 La puce de circuit integre est un composant 

securise apte a communiquer uniquement avec un lecteur 
de carte. 

Les cartes a contact comportent des metallisations 
affleurant la surface de la carte, disposees a un 

25 endroit precis du corps de carte, defini par la norme 
usuelle ISO 7816. Ces metallisations sont destinees a 
venir au contact d'une tete de lecture d'un lecteur en 
vue d'une transmission electrique de donnees. 

Les cartes sans contact comportent une antenne 

30 permettant d'echanger des informations avec l'exterieur 
grace a un couplage' electromagnetique entre 
1' electronique de la carte et un appareil recepteur ou 
lecteur. Ce couplage peut etre effectue en mode lecture 
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ou en mode lecture/ecriture, et la transmission de 
donnees s'effectue par radiof requence ou par 
hyperf requence . 

II existe egalement des cartes hybrides ou 
5 « combicards » qui comportent a la fois des 
metallisations affleurant la surface de la carte et une 
antenne noyee dans le corps de la carte. Ce type de 
carte peut done echanger des donnees avec l'exterieur 
soit en mode contact, soit sans contact, 

10 Les peripheriques qui peuvent etre associes a une 

carte a puce sont multiples. II s'agit par exemple d'un 
afficheur, d'un clavier, d'un haut-parleur ou d'un 
vibreur piezo-electrique, d'une interface de 
communication par radiof requences, ou de composants de 

15 mesure de 1 ' environnement telle que la temperature, des 
radiations ionisantes ou autre, ou de composants de 
mesure biometrique telle qu'un capteur d' empreinte 
digitale, un microphone et un systeme de traitement de 
la voix, ou autre. 

20 Ces peripheriques doivent necessairement 

communiquer avec la puce de circuit integre de la carte 
afin d' echanger des donnees. Or, les puces de circuit 
integre utilisees dans les cartes a puce sont des 
composants securises prevus pour etablir une 

25 communication uniquement avec un lecteur de carte. 

Ainsi, dans une architecture standard utilisant des 
composants standards, la communication entre la puce de 
circuit integre de la carte et un quelconque 
peripherique est impossible. 

30 II existe dej^ des cartes a puce integrant un ou 

plusieurs peripheriques. En general, la puce de circuit 
integre est alors congue pour gerer le peripherique 
integre. Ainsi, pour chaque application, il est 
necessaire de developper un nouveau coraposant pour le 
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circuit integre afin de iui permettre de gerer/ un 
ecran, un clavier ou tout autre peripherique 
predetermine. 

Cette solution, bien que performante, presente un 
5 inconvenient majeur du fait qu'il faille developper et 
fabriquer un composant electronique different pour 
chaque application de peripherique. En effet, la 
solution proposee consistait a programmer la puce de 
circuit integre de la carte pour piloter le 
10 peripherique tout en conservant ses caracteristiques 
securisees . 

La presente invention propose une autre solution 
pour integrer des peripheriques a une carte a puce qui 
permette d'utiliser les composants securises standards. 

15 Ainsi, 1' invention propose d' integrer . un 

gestionnaire de peripheriques muni d' une fonction 
lecteur afin de realiser 1' interface avec le composant 
securise de la carte. Cette fonction lecteur peut etre 
identique a celles realisees par les lecteurs de cartes 

20 a puce .standards. 

Selon une particularity de 1' invention, 1' interface 
de communications externes de la carte est partagee 
entre un lecteur externe lorsque la carte est utilisee 
comme une carte a puce classique, et une fonction 

25 lecteur integree dans le gestionnaire de peripherique. 
Ce dernier se presente done comme un lecteur de carte 
pour le composant securise.. 

L' invention consiste plus par ticulierement dans un 
dispositif electronique portable, du type carte a puce, 

30 integrant au moins un peripherique et comportant au 
moins un composant securise et une interface de 
communications externes, caracterise en ce qu'il 
comporte en outre un gestionnaire de peripheriques 
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comprenant au moins une fonction de lecteur de carte a 
puce pour communiquer avec le composant securise. 

Selon un mode de realisation pref erentiel, la 
fonction de gestion des peripheriques est mise en oeuvre 
5 par un programme executable stocke dans le composant 
securise. 

Selon un mode de realisation, le composant securise 
comprend une pluralite die programmes executables 
destines a la mise en oeuvre de differentes 
10 applications, chaque programme executable comprenant 
. une partie specif ique d' instructions . destinee a etre 
executee par le gestionnaire de peripheriques. 

Selon une caracteristique, le gestionnaire de 
peripheriques constitue une interface entre le 
15 composant securise et 1 ' utilisateur , et comporte une 
fonction de selection des applications permettant a ce 
dernier de choisir 1 ' application a mettre en oeuvre. 

Selon un premier mode, de realisation, le composant 
securise et le gestionnaire de peripheriques sont 
20 relies a 1' interface de communication en parallele. 

Selon une particularity de ce mode,, le dispositif 
comporte des moyens de deconnexion ou d' inhibition du 
gestionnaire de peripheriques lorsque 1' interface de 
communication externe est sollicitee pour communiquer 
25 avec le composant securise. 

Selon un deuxieme mode de realisation, le composant 
securise presente deux ports de communication 
d' entree-sortie, un premier port pour une communication 
avec 1' interface externe et un second port pour une 
30 communication avec le gestionnaire de peripheriques. 

Selon ' un troisieme mode de realisation, le 
composant securise et le gestionnaire de peripheriques 
sont relies a 1' interface de communication en serie, le 
gestionnaire de peripheriques gerant les transmissions 
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de donnees entre 1' interface externe et le composant 
securise. 

Selon une caracteristique, le gestionnaire de 
p&ripheriques comporte un mode de f onctionhement 
5 transparent lorsque l'interface de communications 
externes est sollicitee pour communiquer avec le 
composant securise. 

Selon les applications, les peripheriques sont 
choisis parmi un afficheur, un clavier, un capteur 
10 biometrique. 

La presente invention permet de realiser une carte 
a puce integrant des peripheriques tout en utilisant 
des composants securises standards, ce qui represente 
15 un gain de cout important. 

En outre, 1 ' architecture proposee par la presente 
invention permet d'utiliser differents composants 
securises correspondant a differentes applications a 
partir d'un meme gestionnaire de peripheriques sur une 
20 meme carte standard. 

II est ainsi. possible de developper des cartes a 
puce « multi applications » selon les puces de circuit 
integre inserees dans une meme carte. 

En outre, la carte a puce obtenue selon la presente 
25 invention conserve toutes ses caracteristiques 
standards et peut etre utilisee comme une carte a puce 
classique. 

D'autres particularites et avantages de 1' invention 
apparaitront a la lecture de la description qui suit 
30 donnee a titre d' exemple illustratif et non limitatif 
et faite en reference aux figures annexees dans 
lesquelles : 
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- La figure 1 est un schema de 1' architecture de 
la carte selon un premier mode de realisation de 
1' invention ; 

- La figure 2 est un schema de 1' architecture de 
5 la carte selon un deuxieme mode de realisation 

de 1' invention ; 

- La figure 3 est un schema de 1' architecture de 
la carte selon un troisieme mode de realisation 
de 1' invention ; 

10 

. Les applications de 1' invention sont multiples et 
variables . 

Ainsi, par exemple, avec une carte munie d' un 
ecran, il est possible de visualiser les donnees en 

15 dehors d'une infrastructure de lecteur de carte. Les 
applications les plus directes peuvent etre, par 
exemple, un porte-monnaie electronique avec 
visualisation du solde sur un ecran, ou une carte a 
puce de dossier medical avec visualisation directe et 

20 rapide de certaines donnees comme le groupe sanguin ou 
le carnet de vaccination. 

Selon le principe de 1' invention, le ou les 
peripheriques sont pilotes par un gestionnaire. de 
peripheriques qui constitue une interface avec le 

25 composant securise de la carte en se comportant a son 
egard comme un lecteur de carte- 

Le . gestionnaire de peripheriques comporte un 
microprocesseur pour la gestion des signaux en 
provenance des peripheriques. 

30 Par exemple, sur une carte a puce integrant un 

ecran et un clavier comme peripheriques, il est 
possible d'afficher une information sur 1' ecran en 
appuyant sur des touches du clavier. Le gestionnaire de 
peripheriques regoit alors un signal provenant du 
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clavier qu'il traite en recherchant 1' information 
correspondante dans le composant securise. 

Le gestionnaire de peripheriques comprend en effet 
un programme executable qui transforme les signaux en 
provenance des peripheriques en code de commande de 
carte a puce. Le gestionnaire de peripheriques se 
comporte done comme un lecteur de carte a puce a 
l'egard du composant securise. 

Selon un mode de realisation pref erentiel, le 
programme executable cl-dessus est stocke dans le 
composant securise. Dans ce cas, les donnees stockees 
de maniere permanente dans le gestionnaire de 
peripheriques peuvent avantageusement se limiter aux 
instructions necessaires a la lecture du fichier du 
composant securise contenant ledit programme 
executable, ainsi qu'aux instructions de lanceraent de 
1' execution de ce programme contenu dans ce fichier. 

Ainsi par exemple, il peut etre souhaitable de 
munir le gestionnaire de peripheriques d' un programme 
permettant notamment la saisie au clavier d'un code 
numerique, ou le calcul d'une signature biometrique ou 
autre. Par exemple, il peut etre interessant de faire 
executer au gestionnaire de peripheriques un nouvel 
algorithme de calcul de signature biometrique ou de 
modifier la nature des messages affiches sur un ecran. 

Grace a 1' invention, il .est possible de faire 
evoluer en securite les programmes contenus dans ledit 
fichier du composant securise. L' acces a ce fichier 
peut etre libre en lecture, mais sa modification ne 
pourra etre effectuee que par une autorite ayant des 
droits d' acces en ecriture sur ce fichier, comme 
l'emetteur de la carte par exemple. 

Dans le cas d'une carte « multi-applications », le 
composant securise comporte une pluralite de programmes 
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executables aptes a mettre en ceuvre ,les differentes 
applications et a transmettre les instructions 
adequates au gestionnaire de peripheriques. 

Le gestionnaire de peripheriques peut 
5 avantageusement servir d' interface entre le composant 
securise et 1' utilisateur afin que ce dernier choisisse 
1' application a mettre en ceuvre. II comporte a cet 
effet un programme de selection des differentes 
applications. 

10 Afin de securiser cette carte « multi- 

applications », le composant securise comporte un 
fichier par application, chaque fichier contenant un 
programme executable specifique de gestion des 
peripheriques. 

15 

L' interface entre le composant securise de la carte 
et le gestionnaire de peripheriques peut s' organiser de 
differentes manieres, mais en utilisant neanmoins 
toujours les signaux disponibles sur un composant 
20 securise standard. 

La figure 1 illustre schematiquement 1' architecture 
de la carte selon un premier , mode de realisation de 
1' invention . 

Dans ce mode de realisation, le gestionnaire de 
25 peripheriques et le composant securise sont relies a 
1' interface de communication de la carte en parallele. 

Dans 1'exemple illustre, l'-interface de 
communication est constitute par des plages de contact 
metalliques pour une application a une carte a puce a 
30 contact. Neanmoins, un schema equivalent peut etre 
envisage pour une application a une carte a puce sans 
contact, 1' interface de communication etant alors 
constitute par une antenne. 
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Le gestionnaire de peripheriques possede une 
fonction lecteur de carte a puce afin de lire et 
d'ecrire des donnees dans un espace memoire de la 
carte . 

5 De preference, lors de 1' insertion de la carte dans 

un lecteur de carte a puce externe, le gestionnaire de 
peripheriques se deconnecte immediatement des contacts 
pour ne pas interferer dans la transmission de donnees 
externes. 

10 A cet ef f et, le gestionnaire de peripheriques 

comporte des moyens de detection (detecteur) de la 
connexion a un lecteur externe, par exemple en 
detectant la tension d' alimentation ; ainsi que des 
moyens de deconnexion des contacts, par exemple par 

15 1' intermediaire d'un signal provenant des moyens de 
detection d'un lecteur externe et agissant sur les 
portes logiques qui vont le deconnecter des contacts. 

Ce mode de realisation permet avantageusement 
d'utiliser un composant securise standard sans la 

20 moindre modification. 

La figure 2 illustre schematiquement 1' architecture 
de la carte selon un deuxieme mode de realisation de 
1 ' invention . 

Dans ce mode de realisation, le gestionnaire de 
25 peripheriques et le composant securise sont egalement 
relies a 1' interface de communication de la carte • en 
parallele. 

Ce mode de realisation exploite cependant un second 
port d' entree / sortie generalement present sur les 
30 composants securises mais rarement utilises. Ce second 
port d' entree / sortie constitue une interface directe 
entre le composant securise et le gestionnaire de 
peripheriques. 
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II est cependant necessaire d'integrer dans le 
composant. securise, au moment de sa conception, le 
microcode necessaire a la gestion de ce second port 
d' entree / sortie. 
5 Ce mode de realisation permet une plus grande 

securite des donnees car le composant securise maitrise 
les informations circulant a 1' interface avec le 
gestionnaire de peripheriques. Une telle architecture 
est egalement plus souple car elle permet un controle 
10 direct des informations envoyees du composant securise 
vers les peripheriques. 

La figure 3 illustre schematiquement 1' architecture 
de la carte selon un troisieme mode de realisation de 
1' invention. 

15 Dans ce mode de realisation, le gestionnaire de 

peripheriques et le composant securise sont relies, a 
1' interface de communication de la carte en serie, le 
gestionnaire de peripheriques filtrant les commandes du 
composant securise . 

20 Ce mode de realisation permet une, simplification de 

1' interface externe de la carte a puce. En effet, il 
n'est alors plus necessaire de partager l'acces au 
composant securise entre 1' interface de communications 
exterieures et le gestionnaire de- peripheriques, ce 

25 dernier fonctionnant selon un mode transparent lorsque 
la carte est inseree dans un lecteur externe. 

A cet effet, des moyens de detection tels que ceux 
precedemment decrits peuvent etre utilises. En 
revanche, il est prevu des moyens assurant une 

30 connexion directe entre le composant securise et les 
contacts, ces moyens etant commandes par un signal 
provenant des moyens de detection ci-dessus en reponse 
a la detection d f un lecteur externe. 
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En outre, cette architecture est particulierement 
avantageuse dans le cadre d'une application de carte a 
puce sans contact lorsque 1' interface externe de la 
carte est de type radiof requence . En effet, le 
5 gestionnaire de peripheriques etant situe entre 
1' interface externe et le composant securise, il peut 
etre en mesure de gerer les interruptions provenant 
d'un peripherique quelconque et d'une borne de 
communication exterieure selon des priorites 
10 predetermines . 



15 
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REVINDICATIONS 



1. Dispositif electronique portable, du type carte 
a puce,. integrant au moins un peripherique et 
comportant au moins un composant securise et une 
interface de communications externes, caracterise en ce 
5 qu'il comporte en outre un gestionnaire de 
peripheriques comprenant au moins une fonction de 
lecteur de carte a puce pour communiquer avec le 
composant securise . 

10 2. Dispositif electronique selon la revendication 

1, caracterise en ce que la fonction de gestion des 
peripheriques est mise en oeuvre par un programme 
executable stocke dans le composant securise. 

15 3. Dispositif electronique selon 1'une des 

revendications 1 a 2, caracterise en ce que le 
composant securise contient une pluralite de programmes 
execiitables destines a la mise en oeuvre de differentes 
applications, chaque programme executable comprenant 

20 une partie specif ique d' instructions destinee a etre 
executee par le gestionnaire de peripheriques. 

4. Dispositif electronique selon la revendication 
3, caracterise en ce que le gestionnaire de 
25 peripheriques constitue une interface entre le 
composant securise et 1' utilisateur et comporte une 
fonction de selection des applications permettant a ce 
dernier de choisir 1' application a mettre en oeuvre. 
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5. Dispositif electronique selon 1'une quelconque 
des revendications 1 a 4, caracterise en ce que le 
composant securise et le gestionnaire de peripheriques 
sont relies a 1' interface de communication en 

5 parallele. 

6. Dispositif electronique selon la revendication 
5, caracterise en ce qu' il comporte des moyens de 
deconnexion ou d' inhibition du • gestionnaire de 

10 peripheriques lorsque 1' interface de communication 
externe est sollicitee pour communiquer avec le 
composant securise. 

7. Dispositif electronique selon 1'une quelconque 
15 des revendications 1 a 6, caracterise en ce que le 

composant securise presente deux ports de communication 
d' entree-sortie, un premier port pour une communication 
avec 1' interface externe et un second port pour une 
communication avec le gestionnaire de peripheriques. 

20 

8. Dispositif electronique selon 1'une quelconque 
des revendications 1 a 4, caracterise en ce que le 
composant securise et le gestionnaire de peripheriques 
sont relies a 1' interface de communication en serie, le 

25 gestionnaire de peripheriques gerant les transmissions 
de donnees entre 1' interface externe et le composant 
securise. 

9. Dispositif electronique selon la revendication 
30 8, caracterise en ce que le gestionnaire de 

peripheriques comporte un mode de f onctionnement 
transparent lorsque 1' interface de communication 
externe est sollicitee pour communiquer avec le 
composant securise . 
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10. Dispositif electronique selon l'une quelconque 
des revendications precedentes, caracterise en ce que 
les peripheriques sont choisis parmi un afficheur, un 
clavier, un capteur biometrique. 
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